View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0023720||mantisbt||security||public||2017-12-12 17:23||2018-03-27 15:50|
|Target Version||Fixed in Version|
|Summary||0023720: Passwords (plaintext) in Mantis configuration file|
password stored in Mantis config file is a security issue, even if file access is well locked (chmod 600, owned by apache process). Example : somebody that had/usurpt root access will see easily information to read/write/delete mysql data on a SQL server where he has no rights.
I know that somebody who access the config file containing encrypted password will be able to decrypt the password using Mantis methods. Password encryption is a "border" that force the viewer to know how Mantis works to decrypt. In some situations, that risk avoidance will discourage the exploit or delay it.
The question has been asked in 2008 (0005208) and ticket has been answered (not fixable) and closed, but I need a updated answer in 2017 context (salt, ...) :
Is it feasible to encrypt or hide passwords in Mantis configuration file ?
|Steps To Reproduce|
Consult a config_inc.php file is config folder : $g_db_password and $g_smtp_password (if configured) are filled with readable password.
|Tags||No tags attached.|
A common pattern for this is to use environment variables for secrets that are fetched in config_inc.php. Is there a reason why this doesn't work for you?
Thanks for the feedback.
Maybe that a warning could be raised by one step of the admin/check/index page if no environment variable is used to inform that a way exists to secure a bit the installation ?
It is not a common pattern for MantisBT, but it separates passwords from config and gives you control on how you manage them.
Hi, I need to know how this concepts work as well. Does anyone have a link or reference I can use to learn about it and how to implement this with Mantis ?
For the record, this is my feedback about how to configure a apache/debian environment to use environment variable as mantis password storage (thanks @vboctor for the tips) :
2) tell apache to use env vars : in
3) restart apache service
4) use env vars in mantis config file
Step 1 has to be adapted regarding your OS.
|2017-12-12 17:23||Mr.Bricodage||New Issue|
|2017-12-12 20:11||vboctor||Note Added: 0058379|
|2017-12-13 01:19||Mr.Bricodage||Note Added: 0058384|
|2017-12-13 02:52||vboctor||Note Added: 0058385|
|2018-03-23 12:09||Bozz||Note Added: 0059295|
|2018-03-27 15:50||Mr.Bricodage||Note Added: 0059324|